我正在编写一个脚本,从一个目录结构中复制权限,并将其重新应用到另一个。我不能简单地使用icacls \mypath* /save file.acl /T,因为我需要在保存和恢复之间进行一些调整,因此使用PowerShell的(Get-ACL $path).Access输出更简单。
在这样做的过程中,我试图将this的输出(即FileSystemRights(映射到其等效的icacls权限;然后,我将用逗号分隔的权限列表包装在括号中,以便通过icacls应用。
[string[]]$rights = $InputObject.FileSystemRights -split 's*,s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'AppendData' {'AD'}
#'ChangePermissions' {'?'}
#'CreateDirectories' {'?'}
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} #duplicate of read data
'Modify' {'M'}
'Read' {'R'} # or GR?
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
#'Traverse' {'?'} # or does this mean to specify the /T option? Not really a permission
'Write' {'W'} # or GW?
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
问题
我不确定上面的映射;在某些情况下,我无法计算出等效值是什么(例如ChangePermissions、CreateDirectories、Traverse(,而在其他情况下,则有多种可能性(例如,Read/Write应该映射到R/W或GR/GW;或者没有区别吗(?我查看了文档并在网上搜索过,但对这些权限的大多数解释都没有比给出这些缩写的名称更详细。
附加上下文
当我说我需要做一些调整时,我是从旧域上的旧文件共享导出权限,并将其导入到新域,所以我需要将旧域用户的一些帐户映射到新域中使用的SID(我们有一个SIDHistory,但我们的目标是干净地做事情,而不是依赖于这个长期(。在新域中也存在一些组,它们是来自旧域的组的等价物,但没有关系(即,它们不是从旧域迁移过来的;尽管它们的功能基本相同。编辑ICACLS保存的信息的输出很复杂,因为结构非常简单。这不是不可能的,但比我感觉更麻烦。
我需要将PS/.Net输出映射回icacls格式的原因是,目标共享位于Azure文件上(启用了AADDS(;所以Set-ACL不起作用,而icacls起作用。
我已经为继承部分创建了类似的逻辑:
[string[]]$if = $InputObject.InheritanceFlags -split 's*,s*'
[string[]]$pf = $InputObject.PropagationFlags -split 's*,s*'
switch ($if) {
'ContainerInherit' {'(CI)'}
'ObjectInherit' {'(OI)'}
}
switch ($pf) {
'InheritOnly' {'(IO)'}
'NoPropagateInherit' {'(NP)'}
}
if ($InputObject.IsInherited) {
'(I)'
}
对于任何不熟悉PowerShell的switch语句的人;功能能够处理数组中的每个项目;因此不需要逻辑循环通过CCD_ 14中的每个右边。点击此处了解更多信息。
更新2020-06-16 10:00
我刚刚意识到有一种简单的方法可以查看FileSystemRights中包含重复项的位置。以下代码标识这些。这解决了我使用Traverse和CreateDirectories的问题。
[Enum]::GetNames([System.Security.AccessControl.FileSystemRights]) |
sort |
%{[PSCustomObject]@{
Name = $_
FSR = ([System.Security.AccessControl.FileSystemRights]$_)
}} |
ft -AutoSize
这表明我可以重用的一些现有值
Name FSR
---- ---
AppendData AppendData
ChangePermissions ChangePermissions
CreateDirectories AppendData <-- i.e. AD
CreateFiles CreateFiles
Delete Delete
DeleteSubdirectoriesAndFiles DeleteSubdirectoriesAndFiles
ExecuteFile ExecuteFile
FullControl FullControl
ListDirectory ReadData <-- i.e. RD
Modify Modify
Read Read
ReadAndExecute ReadAndExecute
ReadAttributes ReadAttributes
ReadData ReadData
ReadExtendedAttributes ReadExtendedAttributes
ReadPermissions ReadPermissions
Synchronize Synchronize
TakeOwnership TakeOwnership
Traverse ExecuteFile <-- i.e. X
Write Write
WriteAttributes WriteAttributes
WriteData CreateFiles <-- i.e. WD
WriteExtendedAttributes WriteExtendedAttributes
在研究如何转换我认为无效的数值时(即认为它们是由枚举值组成的;尽管由于某种原因,在转换[System.Security.AccessControl.FileSystemRights]268435456时没有解决(,我看到了这篇文章,然后从中找到了这篇。
考虑到那里的信息,以及我在上一次更新中对重复值的发现,我现在已经将映射写为:
[string[]]$rights = $InputObject.FileSystemRights -split 's*,s*' # note: FileSystemRights here is just a string rather than having been converted to ENUM, as I've just pulled it straight from CSV
switch ($rights) {
'-2147483648' {'GR'}
'268435456' {'GA'}
'536870912' {'GE'}
'1073741824' {'GW'}
'AppendData' {'AD'}
'ChangePermissions' {'WDAC'}
'CreateDirectories' {'AD'} # duplicate of AppendData
'CreateFiles' {'WD'} # duplicate of WriteData
'Delete' {'DE'} # or D?
'DeleteSubdirectoriesAndFiles' {'DC'}
'ExecuteFile' {'X'}
'FullControl' {'F'}
'ListDirectory' {'RD'} # duplicate of read data
'Modify' {'M'}
'Read' {'R'}
'ReadAndExecute' {'RX'}
'ReadAttributes' {'RA'}
'ReadData' {'RD'}
'ReadExtendedAttributes' {'REA'}
'ReadPermissions' {'RC'}
'Synchronize' {'S'}
'TakeOwnership' {'WO'}
'Traverse' {'X'} # duplicate of ExecuteFile
'Write' {'W'}
'WriteAttributes' {'WA'}
'WriteData' {'WD'}
'WriteExtendedAttributes' {'WEA'}
Default {Write-Warning "Could not find icacls permission for file system right: '$_'"} # Note: This may also occur if we get a numeric value for the rights instead of a comma separated list of enum names. Once I've got the mapping I'll code a fix to handle that scenario too.
}
为了将ChangePermissions解析为WDAC,我只使用Get-ACL和Set-ACL将ChangePermissions访问权限仅分配给文件夹上的唯一用户,然后使用icacls查询该文件夹的权限。